CVE-2026-26329

Path Traversal in File Management Skill

What this means in plain English

A skill can read any file on your computer by using path tricks like '../../../'. This means a malicious skill could access your SSH keys, AWS credentials, password manager databases, or any other sensitive file on your system.

Technical description

A path traversal vulnerability in OpenClaw's file management skill allows reading files outside the intended working directory by using sequences like '../' in file paths.

Affected versions

< 0.12.9

Fixed in: 0.12.9

Details

CVE IDCVE-2026-26329

CVSS Score7.2 (HIGH)

CategoryPath Traversal

Disclosed2026-02-14

StatusPatched

Are you affected?

Run `openclaw --version`

Versions below 0.12.9 are affected

Check if you have file management skills installed

How to fix

Update: `npm update -g openclaw`

Review file access logs if available

Rotate credentials if file management skills were installed

Scan your skills for this vulnerability

Use GitOpenClaw to scan any skill, repo, or install command for patterns associated with CVE-2026-26329 and other known vulnerabilities. Free, no account required.

Scan a skill now →orSet up monitoring →

References

https://armo.cloud/blog/openclaw-path-traversal

Other OpenClaw CVEs

CVE-2026-25253high

WebSocket Hijacking via Malicious Skill

CVE-2026-24763critical

Command Injection via Skill Configuration Parameters

CVE-2026-26322high

Server-Side Request Forgery (SSRF) in URL Fetching Skill

CVE-2026-30741high

Prompt Injection Leading to Remote Code Execution

View all CVEs in threat database →